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Supply Chain Vulnerabilities (U) 

(U) Networks are not the only vulnerable aspect of cyberspace. Software and hardware are also 
at risk of being tampered with before they are linked together in an operational system. The 
majority of information technology products used in the United States are manufactured and 
assembled overseas. The reliance of DoD, and the United States as a whole, on foreign 
manufacturing and development provides broad opportunities for foreign actors to subvert and 
interdict U.S. supply chains at points of design, manufacture, service, distribution, and disposal. 
Additionally, counterfeit hardware and software have already been detected in systems that DoD 
has procured. Rogue code, including so-called “logic bombs” that can cause sudden 
malfunctions, can be inserted into software as it is being developed. Remotely operated “kill 
switches” and hidden “backdoors” can be written into the computer chips used by DoD or in 
critical infrastructure, allowing outside actors to manipulate the systems from afar. Tampering is 
difficult to detect and even harder to eradicate. 
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Supply Chain Risk Mitigation Framework (U) 

(U) DoD will continue to support the development of whole-of-government approaehes for 
managing the risks assoeiated with the globalization of the information and eommunications 
teehnology sector. Many U.S. technology firms outsource software and hardware faetors of 
production, and in some cases their knowledge base, to firms overseas; this presents adversaries 
with signifieant opportunities to interdiet and subvert DoD systems. Additionally, inereases in 
the number of eounterfeit products and components demand proeedures to both reduee risk and 
inerease quality. Dependenee on teehnology from foreign sources dimishes the predictability 
and assurance that DoD requires. The global teehnology supply ehain affects mission critical 
aspects of the DoD enterprise, along with core U.S. government and private seetor functions, and 
its risks must be mitigated through strategic public-private sector cooperation. 

(U) In accordanee with Defense Programming and Planning Guidance for FY2012-2016 and 
speeific DoD guidance, DoD is implementing a supply ehain risk mitigation (SCRM) strategy 
with pilot activities and building toward full operational eapability by FY16. DoD will 
continually implement and refine policies and processes that empower program managers, 
systems managers, and aequisition professionals to mitigate supply ehain risk wherever they 
aequire, integrate, and maintain mission eritieal networks and systems. 

(U) DoD also co-leads the SCRM initiative within the Comprehensive National Cybersecurity 
Initiative (CNCI). In this role, DoD is working closely with its interageney partners to 
implement a comprehensive SCRM strategy for other U.S. government national seeurity 
systems. This collaborative effort will build upon lessons learned from efforts in DoD and 
across the government to address shared supply ehain challenges. 

(S//REL USA, FVEY) Supply ehain risks also extend to U.S. critical infrastructure upon which 
DoD depends. An example of these risks can be found in the teleeommunications seetor, as 
Chinese telecommunieations equipment providers (non-publie companies with suspeeted ties to 
the People’s Liberation Army) pursue inroads into the U.S. teleeommunications infrastructure. 
DoD is working with its interageney partners to develop and implement a multifaeeted approach 
to SCRM that supports vital government operations and provides a high degree of information 
seeurity in a potentially unsecure infrastructure. 

(S//REL USA, FVEY) In eonjunetion with departments and ageneies addressing trade and 
eeonomie seeurity, the SCRM strategy will promote a diverse and competitive global marketplaee 
for trusted teehnology. The objeetives of this initiative are to: 1) manage and mitigate the risk of 
untrustworthy technology used by the telecommunieations sector; 2) promote an open the global 
marketplaee and a level eommereial playing field for teehnology used by the teleeommunieations 
sector; 3) enhance the viability of U.S. seience, teehnology, and advaneed manufacturing 
capabilities to aehieve and support national seeurity objectives. This plan is being developed with 
a whole-of-government approaeh, in eooperation with industry as appropriate, to ensure U.S. 
ability to projeet foree, eomplete intelligenee missions, and protect the funetioning of the national 
eeonomy 


